Linux 2.19 Open Source Gold Release

Supported the Key Separation and Sharing (KSS) feature in Simulation mode.
Upgraded to OpenSSL 1.1.1t.
Upgraded Intel(R) SGX Quote Verification Enclave to integrate SgxSSL/OpenSSL
  version 1.1.1t.
Added new API in quote verification library to extract FMSPC
  (Family-Model-SteppingPlatform-CustomSKU) value from ECDSA quote.
Added Rust support for SGX ECDSA quote generation.
Added Linux kernel 5.19 support in TDX R3AAL (Ring 3 Attestation Abstraction Layer).
Removed Protobuf in TDX QGS (Quote Generation Service) and R3AAL (Ring 3
  Attestation Abstraction Layer).
Fixed bugs.

Signed-off-by: Li, Xun <[email protected]>

Author: llly

Makefile.psw_dcap

@@ -64,19 +64,11 @@ ippcp:
 	$(MAKE) -C external/ippcp_internal/
 
 sdk: ippcp
-	$(MAKE) -C sdk/ MITIGATION-CVE-2020-0551=LOAD
-	$(MAKE) -C sdk/ clean
-	$(MAKE) -C sdk/ MITIGATION-CVE-2020-0551=CF
-	$(MAKE) -C sdk/ clean
 	$(MAKE) -C sdk/
-	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl MITIGATION-CVE-2020-0551=LOAD
-	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl MITIGATION-CVE-2020-0551=CF clean
-	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl MITIGATION-CVE-2020-0551=CF
-	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl clean
 	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl
 
 install_sdk: sdk
-	./linux/installer/bin/build-installpkg.sh sdk cve-2020-0551
+	./linux/installer/bin/build-installpkg.sh sdk
 ifeq ($(call DIR_EXISTS,$(SGX_SDK)),)
 	./linux/installer/bin/sgx_linux_x64_sdk_*.bin --prefix=$(dir $(SGX_SDK))
 endif

Makefile.psw_tdx

@@ -63,19 +63,11 @@ endif
 ippcp:
 	$(MAKE) -C external/ippcp_internal/
 sdk: ippcp
-	$(MAKE) -C sdk/ MITIGATION-CVE-2020-0551=LOAD
-	$(MAKE) -C sdk/ clean
-	$(MAKE) -C sdk/ MITIGATION-CVE-2020-0551=CF
-	$(MAKE) -C sdk/ clean
 	$(MAKE) -C sdk/
-	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl MITIGATION-CVE-2020-0551=LOAD
-	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl MITIGATION-CVE-2020-0551=CF clean
-	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl MITIGATION-CVE-2020-0551=CF
-	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl clean
 	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl
 
 install_sdk: sdk
-	./linux/installer/bin/build-installpkg.sh sdk cve-2020-0551
+	./linux/installer/bin/build-installpkg.sh sdk
 ifeq ($(call DIR_EXISTS,$(SGX_SDK)),)
 	./linux/installer/bin/sgx_linux_x64_sdk_*.bin --prefix=$(dir $(SGX_SDK))
 endif

README.md

@@ -102,7 +102,8 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
 - Use the following command(s) to install the required tools to build the Intel(R) SGX SDK:
   * On Ubuntu 18.04 and Debian 10:
   ```
-    $ sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python libssl-dev git cmake perl
+    $ sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python3 libssl-dev git cmake perl
+    $ sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 1
   ```
   * On Ubuntu 20.04 and Ubuntu 22.04:
   ```
@@ -111,25 +112,26 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
   * On Red Hat Enterprise Linux 8.6:
   ```
     $ sudo yum groupinstall 'Development Tools'
-    $ sudo yum install ocaml ocaml-ocamlbuild wget python2 openssl-devel git cmake perl
-    $ sudo alternatives --set python /usr/bin/python2
+    $ sudo yum install ocaml ocaml-ocamlbuild wget python3 openssl-devel git cmake perl
+    $ sudo alternatives --set python /usr/bin/python3
   ```
   * On CentOS Stream 8 and CentOS 8.3:
   ```
     $ sudo dnf group install 'Development Tools'
-    $ sudo dnf --enablerepo=powertools install ocaml ocaml-ocamlbuild redhat-rpm-config openssl-devel wget rpm-build git cmake perl python2
-    $ sudo alternatives --set python /usr/bin/python2
+    $ sudo dnf --enablerepo=powertools install ocaml ocaml-ocamlbuild redhat-rpm-config openssl-devel wget rpm-build git cmake perl python3
+    $ sudo alternatives --set python /usr/bin/python3
   ```
   * On Anolis 8.6:
   ```
     $ sudo dnf group install 'Development Tools'
-    $ sudo dnf --enablerepo=PowerTools install ocaml ocaml-ocamlbuild redhat-rpm-config openssl-devel wget rpm-build git cmake perl python2
-    $ sudo alternatives --set python /usr/bin/python2
+    $ sudo dnf --enablerepo=PowerTools install ocaml ocaml-ocamlbuild redhat-rpm-config openssl-devel wget rpm-build git cmake perl python3
+    $ sudo alternatives --set python /usr/bin/python3
   ```
   * On SUSE Linux Enterprise Server 15.4:
   ```
     $ sudo zypper install --type pattern devel_basis
-    $ sudo zypper install ocaml ocaml-ocamlbuild automake autoconf libtool wget python libopenssl-devel rpm-build git cmake perl
+    $ sudo zypper install ocaml ocaml-ocamlbuild automake autoconf libtool wget python3 libopenssl-devel rpm-build git cmake perl
+    $ sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 1
   ```
    **Note**:  To build Intel(R) SGX SDK, gcc version is required to be 7.3 or above and glibc version is required to be 2.27 or above.
 - Use the following command to install additional required tools and latest Intel(R) SGX SDK Installer to build the Intel(R) SGX PSW:
@@ -140,19 +142,19 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
       ```
       * On Ubuntu 20.04 and Ubuntu 22.04:
       ```
-        $ sudo apt-get install libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake reprepro unzip pkgconf libboost-dev libboost-system-dev libboost-thread-dev protobuf-c-compiler libprotobuf-c-dev lsb-release libsystemd0
+        $ sudo apt-get install libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake reprepro unzip pkgconf libboost-dev libboost-system-dev libboost-thread-dev lsb-release libsystemd0
       ```
       * On Red Hat Enterprise Linux 8.6:
       ```
-        $ sudo yum install openssl-devel libcurl-devel protobuf-devel cmake rpm-build createrepo yum-utils pkgconf boost-devel protobuf-lite-devel protobuf-c-compiler protobuf-c-devel systemd-libs
+        $ sudo yum install openssl-devel libcurl-devel protobuf-devel cmake rpm-build createrepo yum-utils pkgconf boost-devel protobuf-lite-devel systemd-libs
       ```
       * On CentOS Stream 8 and CentOS 8.3:
       ```
-        $ sudo dnf --enablerepo=powertools install openssl-devel libcurl-devel protobuf-devel cmake rpm-build createrepo yum-utils pkgconf boost-devel protobuf-lite-devel protobuf-c-compiler protobuf-c-devel systemd-libs
+        $ sudo dnf --enablerepo=powertools install openssl-devel libcurl-devel protobuf-devel cmake rpm-build createrepo yum-utils pkgconf boost-devel protobuf-lite-devel systemd-libs
       ```
       * On Anolis 8.6:
       ```
-        $ sudo dnf --enablerepo=PowerTools install openssl-devel libcurl-devel protobuf-devel cmake rpm-build createrepo yum-utils pkgconf boost-devel protobuf-lite-devel protobuf-c-compiler protobuf-c-devel systemd-libs
+        $ sudo dnf --enablerepo=PowerTools install openssl-devel libcurl-devel protobuf-devel cmake rpm-build createrepo yum-utils pkgconf boost-devel protobuf-lite-devel systemd-libs
       ```
       * On SUSE Linux Enterprise Server 15.4:
       ```
@@ -343,24 +345,26 @@ Install the Intel(R) SGX SDK
   * Anolis OS 8.6 64bits
   * Debian 10 64bits
 - Use the following command to install the required tool to use Intel(R) SGX SDK:
-  * On Ubuntu 18.04, Ubuntu 20.04 and Debian 10:
+  * On Ubuntu 18.04 and Debian 10:
   ```
-    $ sudo apt-get install build-essential python
+    $ sudo apt-get install build-essential python3
+    $ sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 1
   ```
-   * On Ubuntu 22.04:
+   * On Ubuntu 20.04 and Ubuntu 22.04:
   ```
-    $ sudo apt-get install build-essential python2
+    $ sudo apt-get install build-essential python-is-python3
   ```
   * On Red Hat Enterprise Linux 8.6, CentOS Stream 8, CentOS 8.3 and Anolis OS 8.6:
   ```
      $ sudo yum groupinstall 'Development Tools'
-     $ sudo yum install python2
-     $ sudo alternatives --set python /usr/bin/python2
+     $ sudo yum install python3
+     $ sudo alternatives --set python /usr/bin/python3
   ```
   * On SUSE Linux Enterprise Server 15.4:
   ```
      $ sudo zypper install --type pattern devel_basis
-     $ sudo zypper install python 
+     $ sudo zypper install python3
+     $ sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 1
   ```
 
 ### Install the Intel(R) SGX SDK
@@ -403,6 +407,13 @@ See the later topic, *Install Intel(R) SGX PSW*, for information on how to insta
   $ ./app
 ```
    Use similar commands for other code samples.
+   **Note:** On Ubuntu 22.04 or any distro with systemd v248 or later, /dev/sgx_enclave is only accessible by users in the group "sgx". The enclave app should be run with a uid in the sgx group.
+   ```
+   # check systemd version:
+   $ systemctl --version
+   # add sgx group to user if it's 248 or above:
+   $ sudo usermod -a -G sgx <user name>
+   ```
 
 
 Install the Intel(R) SGX PSW

SampleCode/Cxx11SGXDemo/App/App.h

@@ -49,7 +49,6 @@
 #endif
 
 #if   defined(__GNUC__)
-# define TOKEN_FILENAME   "enclave.token"
 # define ENCLAVE_FILENAME "enclave.signed.so"
 #endif
 

SampleCode/Cxx14SGXDemo/App/App.h

@@ -49,7 +49,6 @@
 #endif
 
 #if   defined(__GNUC__)
-# define TOKEN_FILENAME   "enclave.token"
 # define ENCLAVE_FILENAME "enclave.signed.so"
 #endif
 

SampleCode/Cxx17SGXDemo/App/App.h

@@ -49,7 +49,6 @@
 #endif
 
 #if   defined(__GNUC__)
-# define TOKEN_FILENAME   "enclave.token"
 # define ENCLAVE_FILENAME "enclave.signed.so"
 #endif
 

SampleCode/ProtobufSGXDemo/App/App.h

@@ -49,7 +49,6 @@
 #endif
 
 #if   defined(__GNUC__)
-# define TOKEN_FILENAME   "enclave.token"
 # define ENCLAVE_FILENAME "enclave.signed.so"
 #endif
 

SampleCode/ProtobufSGXDemo/Enclave/person.proto

@@ -1,3 +1,34 @@
+/*
+ * Copyright (C) 2011-2021 Intel Corporation. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   * Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in
+ *     the documentation and/or other materials provided with the
+ *     distribution.
+ *   * Neither the name of Intel Corporation nor the names of its
+ *     contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
 package lm; 
 message Person
 { 

SampleCode/SampleAttestedTLS/README.md

@@ -122,6 +122,7 @@ Note:
     running in this sample.
     The project has a pre-preparation script - prepare_sgxssl.sh to prepare the SgxSSL libraries and link to them in
     the Makefile.
+    Note that script "prepare_sgxssl.sh" requires git installed and configured.
   - Limitation: No Simulation mode is supported.
 
 ### Running attested TLS server in loop

SampleCode/SampleAttestedTLS/prepare_sgxssl.sh

@@ -35,9 +35,9 @@ project_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 echo "project_dir is $project_dir"
 sgxssl_dir=$project_dir/sgxssl
 openssl_out_dir=$sgxssl_dir/openssl_source
-openssl_ver_name=openssl-1.1.1q
-sgxssl_github_archive=https://github.com/01org/intel-sgx-ssl/archive
-sgxssl_file_name=support_tls_lin_1.1.1q
+openssl_ver_name=openssl-1.1.1t
+intel_sgx_ssl_url=https://github.com/intel/intel-sgx-ssl
+support_tls_branch=support_tls
 build_script=$sgxssl_dir/Linux/build_openssl.sh
 server_url_path=https://www.openssl.org/source
 full_openssl_url=$server_url_path/$openssl_ver_name.tar.gz
@@ -56,22 +56,10 @@ if [ $debug == true ] ; then
 	read -n 1 -p "download souce code only, because we need to build ourselves"
 fi
 
-openssl_chksum=d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca
-sgxssl_chksum=0ab6f62bda33e760422d502ba4812d058e50516ebb82e6c7713c78f580a7d622
-rm -f check_sum_openssl.txt check_sum_sgxssl.txt
+openssl_chksum=8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b
+rm -f check_sum_openssl.txt
 if [ ! -f $build_script ]; then
-    wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $sgxssl_dir/ || exit 1
-    sha256sum $sgxssl_dir/$sgxssl_file_name.zip > $sgxssl_dir/check_sum_sgxssl.txt
-    grep $sgxssl_chksum $sgxssl_dir/check_sum_sgxssl.txt
-    if [ $? -ne 0 ]; then
-        echo "File $sgxssl_dir/$sgxssl_file_name.zip checksum failure"
-        rm -f $sgxssl_dir/$sgxssl_file_name.zip
-        exit -1
-    fi
-    unzip -qq $sgxssl_dir/$sgxssl_file_name.zip -d $sgxssl_dir/ || exit 1
-    mv $sgxssl_dir/intel-sgx-ssl-$sgxssl_file_name/* $sgxssl_dir/ || exit 1
-    rm $sgxssl_dir/$sgxssl_file_name.zip || exit 1
-    rm -rf $sgxssl_dir/intel-sgx-ssl-$sgxssl_file_name || exit 1
+    git clone $intel_sgx_ssl_url -b $support_tls_branch $sgxssl_dir || exit 1  
 fi
 
 if [ ! -f $openssl_out_dir/$openssl_ver_name.tar.gz ]; then

SampleCode/SampleAttestedTLS/server_tdx/Makefile

@@ -0,0 +1,41 @@
+#
+# Copyright (C) 2011-2021 Intel Corporation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+#   * Redistributions of source code must retain the above copyright
+#     notice, this list of conditions and the following disclaimer.
+#   * Redistributions in binary form must reproduce the above copyright
+#     notice, this list of conditions and the following disclaimer in
+#     the documentation and/or other materials provided with the
+#     distribution.
+#   * Neither the name of Intel Corporation nor the names of its
+#     contributors may be used to endorse or promote products derived
+#     from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+#
+
+include ../sgxenv.mk
+
+all: server
+
+server:
+	$(CXX) -c -DTDX_ENV -DCLIENT_USE_QVL $(App_Cpp_Flags) server.cpp openssl_server.cpp ../common/verify_callback.cpp ../common/utility.cpp ../common/openssl_utility.cpp ../common/err_msg.cpp
+	$(CXX) -o tls_server server.o openssl_server.o verify_callback.o utility.o openssl_utility.o err_msg.o $(App_Link_Flags) -lssl -ltdx_tls -lsgx_dcap_quoteverify -l:libtdx_attest.so.1
+
+clean:
+	rm -f tls_server *.o